BIO 14.02.01 ISO A.18.1.4

Suggested Apps In Windows Ink Workspace Geblokkeerd

📅 2025-10-30
⏱️ 4 minuten lezen
🟢 Should-Have

💼 Management Samenvatting

Windows Ink Workspace suggested apps moeten worden geblokkeerd om te voorkomen dat Microsoft Store app recommendations worden getoond op basis van user activity tracking.

Aanbeveling
IMPLEMENT
Risico zonder
Low
Risk Score
2/10
Implementatie
1u (tech: 0.5u)
Van toepassing op:
Windows 10
Windows 11

INK WORKSPACE SUGGESTIONS: Windows Ink (pen/stylus input) suggests apps van Microsoft Store. PRIVACY: Tracking van pen usage patterns, Recommendations gebaseerd op user behavior analysis. ENTERPRISE: No business need voor consumer app suggestions, Controlled app deployment via Intune (not Microsoft Store). TELEMETRY: Data sent to Microsoft over ink usage.

PowerShell Modules Vereist
Primary API: Intune / Group Policy
Connection: Registry
Required Modules:

Implementatie

Block suggestions: Various registry paths regelen Ink Workspace suggestions. EFFECT: No app suggestions in Ink Workspace, No telemetry over pen usage, Ink functionality blijft werken (just no suggestions).

Vereisten

Windows 10/11 met pen/stylus support

Implementatie

Gebruik PowerShell-script allow-suggested-apps-in-windows-ink-workspace-is-set-to-block.ps1 (functie Invoke-Remediation) – Block Ink suggestions.

monitoring

Gebruik PowerShell-script allow-suggested-apps-in-windows-ink-workspace-is-set-to-block.ps1 (functie Invoke-Monitoring) – Verify suggestions blocked.

Compliance en Auditing

  1. AVG - Privacy
  2. BIO 14.02

Remediatie

Gebruik PowerShell-script allow-suggested-apps-in-windows-ink-workspace-is-set-to-block.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Security Options: Ink Workspace Suggested Apps Blocked .DESCRIPTION CIS - Suggested apps in Windows Ink blocked. .NOTES Filename: ink-suggested-apps.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace\AllowSuggestedAppsInWindowsInkWorkspace|Expected: 0 #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace"; $RegName = "AllowSuggestedAppsInWindowsInkWorkspace"; $ExpectedValue = 0 function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "ink-apps.ps1"; PolicyName = "Ink Suggested Apps"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Blocked"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v -and $v.$RegName -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Suggested apps blocked" }else { $r.Details += "Suggested apps enabled" } }else { $r.IsCompliant = $true; $r.Details += "Default" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Ink suggested apps blocked" -ForegroundColor Green } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Low: Laag privacy risk: Ink usage tracking. No business value voor app suggestions.

Management Samenvatting

Blokkeer Windows Ink suggested apps. Privacy bescherming. Implementatie: 30-60 min.